Most of the damage to Information
Technology (IT) security is not from outside malicious attacks, but
rather from simple mistakes, unintended or unauthorized actions of
legitimate users and IT engineers who are either untrained in
security and/or who misunderstood the instructions from the
management.

The two major issues mentioned replay
themselves daily in the IT world. Part of the reason this is
happening is a lack of common, proven practices and guidelines
developed for IT professionals. Unlike the legal, financial, and
medical fields, the IT field is still somewhat in its infancy. It
has yet to develop the kind of respect from the business community
that legal, financial, and medical professionals enjoy, despite the
fact that IT professionals are increasingly tasked to handle and
protect the core values of the organization—data and information
that legal, financial, medical professionals, and management
depended on.

There is no question how important the
IT department is for any organization. So what are the issues when
it comes to poor security in most IT operations? Here are the main
issues that I see:

Management vs. System
users vs. IT professionals

No one needs to tell a brain surgeon
what procedures to follow to perform an operation. No one tells a
Certified Public Accountant (CPA) how to conduct an audit for
financial matters, and no one needs to ask an attorney to maintain
attorney-client confidentiality during a trial. And yet, when it
comes to IT security, management, system users, and IT professionals
are often at odd as to what is the best course of action in response
to a given security concern. The three groups almost always have
their own ideas of how the security should function, when sometimes
at least one, or two, or all three groups do not understand each
other. Even worse still, sometimes they don’t understand the
security issues involved or the remedies available. Management
usually understands the high-level issues; users generally want
convenience; and IT of course wants to please the first two while
still doing their job. However, they all do not have a common
framework to follow, and most do not have a common policy to
follow. To make matters worse, everyone believes their way is the
best, regardless of the real over-riding issues.

Standards

There is a total lack of standards
when it comes to IT security. As mention above, all three
stakeholders have their own ideas regarding what the standards are.
And the three groups may even change the standards from time to time
in response to a given situation, even though next time around it
could be different. Things are done to solve an “urgent” issue with
an intention to revisit the actions taken later, when the urgency is
over. We all know how that goes.

Complexity of the
Information Technology

Supporting the current IT
infrastructure is exponentially more difficult than it was ten years
ago. While supporting the hardware aspect of IT has gotten
dramatically easier, supporting the rest of the IT infrastructure is
much more difficult today than it was in the past. Most management
and system users do not appreciate how difficult is to keep the IT
operation running smoothly. Management as well as system users only
see the front end of the IT system; it is all Windows, GUI, point
and click—but at the back end, IT is facing increasingly complex
configurations and environments to make everything work. Nearly all
Operating Systems and most applications today use different security
standards.

Consistency

Until just a few years ago, there was
not a concerted effort in the IT industry and among IT professionals
to focus on security. Even most training focuses on a micro-level
that is specific to the given products and at times, a given task.
Very few IT professionals have a comprehensive knowledge of all the
levels of IT security necessary for them to be able to perform their
job consistently, each and every time. Without a high-level IT
security framework and/or IT security policy, the security tasks
will be performed by an individual IT professional based on his or
her unique experience. The results are often mixed and may or may
not even be desirable. At best, even if the security tasks are
performed by the same individual, the results can be inconsistent.

Policy

Most of the organizations today either
still do not have a well defined security policy or none is ever
developed at all. Where there is a comprehensive security policy,
it is not well communicated and /or enforced because it lacks
high-level framework to guide it. Very often the policies address
security issues at a micro-level that are hard for management,
system users, and IT professionals to understand or enforce
consistently. For the organization that has a well defined security
policy, very often there is not a well trained team (a workable team
has to be composed of all stakeholders) to enforce and fine-tune it,
and over time the system breaks down.

Framework

For an IT security system to work,
more needs to be done. A well defined framework needs to be
developed involving all stakeholders, and it needs to be self-tuning
over time to be useful. Almost all of the organizations today stop
short of having a good framework to enforce and fine-tune the IT
security system. Most understand the need for a well defined
security policy, but unfortunately, most stop there after they have
developed one.

One major difference between
traditional, well respected professionals such as Medical Doctors,
CPAs, Attorneys and the IT practitioner is the IT practitioners’
lack of a structured approach to learning their trade. There is not
a well defined curriculum developed for people who intend to go into
IT fields. Most IT trainings are mainly focused on product-specific
and commercial aspects of the subject matter, combining marketing
and product promotion as part of the training. Traditional
curricula that produce the skills demanded of most computer
programmers and engineers are not suitable for keeping up with
today’s IT demands.

In conclusion, in order for any IT security system to work, a
well defined, organization-wide security framework needs to be
implemented that involves all stakeholders, and the framework needs
to be part of the organization’s core operations—its DNA— at all
levels of the organizational structure.

By
Benson Yeung, Senior Partner

Benson Yeung Biography

Mr. Yeung has over two decades of IT
architecture and security related experience, including
extensive experience as an integrator and distributor of IT
products and services. In 1991, Mr. Yeung founded Triware
Networld Systems, a San Francisco Bay Area IT systems
integrator, and in 2000, he founded Triware Networld
Solutions, Inc., a San Francisco Bay Area solution provider
for IT knowledge management.

Since 1991, Mr. Yeung has consulted on IT and business
related issues to over 300 small, medium, and large
organizations. He also contributes articles to the Loral
Computer Special Interest Group, Microsoft Project, and
Silicon Valley Computer Society monthly newsletter.

For more than two decades, Mr. Yeung has spent a significant
amount of time in IT security fields including being a
forensics investigator, auditor and has a deep understanding
of the state of IT security issues and has developed
frameworks and best practice methodologies for the field.

Mr. Yeung also works closely with various VC firms and
startups in Silicon Valley as a Visionary, Strategist,
Technology Advisor and Operations Consultant. Mr. Yeung has
a B.S. in Computer Science from Arkansas State University.
He is Microsoft Certified System Engineer & Certified
Trainer.